httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Andrew Wilson <and...@www.elsevier.co.uk>
Subject Re: public_cgi-bin scripts
Date Mon, 17 Apr 1995 23:08:37 GMT

> There are sites which use a setuid-root "wrapper" program so that a user's
> CGI scripts may run with the user's *own* full privileges --- but that's
> also a somewhat dangerous practice.

Ah perhaps that's what COMMA are doing.  Everyone's in bed right now so
I'll have to wait till tomorrow to get Robert Evans' answer.  Unless Rob H
can remember?

> rst
> 

Incidentally is this danderous in the sense of Joe.User writing a
script to fork a million processes and hang the server?  Or writing some
script which fills up the filesystem.

   [in which case you shouldn't even give your users access to 'cc' ;)]

Or is there a more general security issue, like being able to read .passwd
files or whatever due to misplaced permissions.

Ay.

Mime
View raw message